GitHub detector silently ignores rate-limit, reports valid tokens as unverified

[rgmz]

The GitHub detector does not have any status code checks and minimal error handling. Consequently, important responses like rate limit errors are silently skipped.

trufflehog/pkg/detectors/github/v1/github_old.go

Line 135 in 726a1b7

if res.StatusCode >= 200 && res.StatusCode < 300 {

This is exacerbated by the fact that:

1. the V1 detector seems to incorrectly match uppercase characters
2. The detectors do not implement entropy checks to filter obvious false-positives
3. matches are not cached and instead indiscriminately re-tested, causing an excessive amount of outgoing requests.

IMO, any detector that contains if err == nil is defective.

Example

This required custom code in order to surface.

Found unverified result 🐷🔑❓
Verification issue: unexpected response: 403, '{
  "documentation_url": "https://docs.github.com/free-pro-team@latest/rest/overview/rate-limits-for-the-rest-api#about-secondary-rate-limits",
  "message": "You have exceeded a secondary rate limit. Please wait a few minutes before you try again. If you reach out to GitHub Support for help, please include the request ID FB58:28A6E9:8CC7F:110648:673FC6EF."
}'
Detector Type: Github
Decoder Type: BASE64
Raw result: 6DA9C48BA71FBD34DBD8E460B7CE81EE238CA410
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
...

---

This is likely related to the issue @ankushgoel27 noted in Slack.

https://trufflehog-community.slack.com/archives/CK3UYAQF2/p1731731489015699